Sonarqube 8.9 with Azure Devops is not decorating PRs

Hello,

I’m using SonarQube Developer edition 8.9 (full install on a dedicated machine) in an Azure DevOps environment, running against a scan using the Maven SonarQube plug-in. I can successfully run a SonarQube scan using an ADO build pipeline and the results correctly show up in SonarQube, but when we run that same pipeline as part of a build policy against a Pull Request, we don’t get decoration.

So far, I’ve re-checked all the settings in Azure DevOps integration and as far as I can tell, they’re correct. I’ve re-checked my ADO authorization token and it’s correct and I’ve confirmed that the account associated with that token has code read/write permissions. I’ve turned on debug logging and checked the CE log to see if there are any error messages, but I see no errors or warnings (or anything that looks remotely troublesome). As far as SonarQube is concerned, it seems to believe it succeeded. I’ve double-checked the policies being enforced to make sure my test code violates some of them. In all cases, scans of PRs in this repo don’t yield comments on the associated PRs.

The most frustrating part of this whole thing is that I have, as far as I can tell, identical settings on a different repo, and the annotations work fine there. The other repo is much less complex, and much smaller (and also has a MUCH shorter build time, so it’s easier to test with), so it’s entirely possible that some complexity there has hosed me, but at this point I don’t even know how to begin to find it. I’m out of ideas.

If it helps, our pipeline looks like this:

trigger:
- release/*
- main

stages:
- stage: Sonar
  displayName: Run Sonar
  jobs:  
    - job: Run_Sonar
      timeoutInMinutes: 240
      displayName: Run Sonar
      pool: 'General'
      variables:
      - template: '../Vars/VariablesAllPipelines.yml'
      steps:

# Prepare Analysis Configuration task
      - task: SonarQubePrepare@5
        inputs:
          SonarQube: 'our.sonarqube.server'
          scannerMode: 'Other'
          extraProperties: 'sonar.projectKey=our.repo.name.git'

      - task: Maven@3
        timeoutInMinutes: 120
        inputs:
          mavenPomFile: 'components/pom.xml'
          goals: 'clean install'
          options: '-PbuildServices,sonar -Dsonar.projectKey=our.repo.name.git -Dsonar.host.url=http://our.sonarqube.server -Dsonar.login=OURTOKENAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -D sonar.exclusions=**/*.html,**/*.css,**/*.wsdl,**/*.xml -D sonar.coverage.jacoco.xmlReportPaths=${project.build.directory}/target/'                 
          mavenOptions: '$(maven.opts)'
          publishJUnitResults: true
          javaHomeOption: JDKVersion
          mavenVersionOption: Default
          sonarQubeRunAnalysis: true

# Publish Quality Gate Result task
      - task: SonarQubePublish@5
        inputs:
          pollingTimeoutSec: '300'

and the sonar profile in our POM looks like this:

<profile>
            <id>sonar</id>
            <activation>
                <activeByDefault>false</activeByDefault>
            </activation>
            <build>
                <plugins>
                    <plugin>
                        <groupId>org.sonarsource.scanner.maven</groupId>
                        <artifactId>sonar-maven-plugin</artifactId>
                        <version>3.7.0.1746</version>
                    </plugin>
                    <plugin>
                        <groupId>org.jacoco</groupId>
                        <artifactId>jacoco-maven-plugin</artifactId>
                        <version>0.8.2</version>
                        <executions>
                            <execution>
                                <id>default-prepare-agent</id>
                                <goals>
                                    <goal>prepare-agent</goal>
                                </goals>
                            </execution>
                            <execution>
                                <id>default-report</id>
                                <phase>verify</phase>
                                <goals>
                                    <goal>report</goal>
                                </goals>
                            </execution>
                        </executions>
                        <configuration>
                            <destFile>${project.build.directory}/jacoco.exec</destFile>
                        </configuration>
                    </plugin>
                </plugins>
            </build>
        </profile>

Finally, my deliberately horrible code looks like this (you’ll notice some of the text is copy/pasted verbatim from the SQ example of what NOT to do)

public String ReallyBadFunction(String foo) throws Exception{
        String s = "foo";
        String S = "bar";
        String Q = "for";
        Q = "more badness";

        switch (param) {  //missing default clause
            case 0:
                doSomething();
                break;
            case 1:
                doSomethingElse();
                break;
        }

        switch (param) {
            default: // default clause should be the last one
                error();
                break;
            case 0:
                doSomething();
                break;
            case 1:
                doSomethingElse();
                break;
        }

        System.out.println("sq will HATE this");
        //System.out.println("sq will HATE this");
        String Z = foo + Q;

        if (s != S){
            return ""
        }
        s = S;
        if(s != S){
            return ""
        }

        if(true){
            while(Q != "A"){
                int i = 1+1;
            }
            throw new Exception("this should really make ")
        }
        return s+S;
    }

Anyone have any ideas? I’ve searched the Internet and these forums for close to a week now looking for ideas, and I’ve tried everything I’ve come across, but with no success.

I would greatly appreciate any ideas anyone may have about how to get this sorted, or even ideas on how to troubleshoot further.

Thanks in advance

It seems relevant to add this: I can see the specific branch show up in the branches tab in SonarQube, but when I view it, no code shows up. This is true for all of the branches that are scanned as part of a PR.

When we scan our main branch, however, the code is all there.

Hi @dash ,

Welcome to Sonar Community

I can’t ascertain what the issue is, but the first thing to verify if that you use the latest version of everything (SonarQube version, scanner version, ADO task version, etc.).

A few comments:

• You are running SonarQube 8.9, which is outdated and not supported. Please upgrade to SonarQube 9.9 LTS and verify if you still see the same problem.
• In the ADO pipeline you showed:
  1. Can you “simplify” your pipeline and use the sonar:sonar goal instead of placing it in a profile and remove buildServices? Effectively, remove -PbuildServices,sonar and use sonar:sonar goal. I believe the way you have it may work, but let’s try simplifying the number of profiles and use just the minimum. Example of what it looks like in a Maven multimodule pom.xml here. Don’t worry about Jacoco coverage for now, we can add that back later.
  2. Usually, the pom.xml is in the root of the project, but here you have it in the components folder. Is that intentional?
  3. You are using an old Sonar scanner for Maven version. Please upgrade to the current latest version of 3.9.1. See SonarScanner for Maven for a link to the latest versions.

In summary, please do the following:

• Upgrade to SonarQube 9.9 and upgrade the Sonar Scanner for Maven to 3.9.1.
  • Note that you will need Java 17 for SonarQube 9.9 and at least Java 11 or Java 17 for scanning a project (but not necessarily for building it). Please check Scanner environment for more info.
  • You may need to import your server certificates (LDAP, ADO on-prem cert, Jenkins, etc.) into the Java 17 cacerts truststore when running SonarQube 9.9.
• If you continue to have issues using the latest versions of SonarQube and Sonar scanner for Maven, please notify me here so that you can share the following logs privately with me:
  1. Set DEBUG log level in SonarQube
  2. Scan with DEBUG Maven logs via -X
  3. Reset to INFO log level in SonarQube
  4. Download the ce.log, Azure pipeline yaml, and ADO full build logs
  5. Screenshot of your PR changes

Hi Joe,

Thanks for the reply. The short version is that moving off 8.9 LTS, as much as I’d love to do it, isn’t a viable option in the near-term for a variety of reasons, some technical, most bureaucratic. 8.9 was the supported LTS version until just last month… I’m surprised to find out that SonarSource doesn’t have any overlap between supported LTS versions to allow your customers to transition. I’m working that process, but approval times range from days to months, without any rhyme or reason, so for now assume I’m stuck on 8.9.

1. I’ll try re-running with a simplified pipeline today and report back.
2. Yes, or top-level POM is components/pom.xml for this repo. All of our source lives under components/ as well.
3. I’m using an old Maven plugin because when I tried to use the latest Maven plugin, it wasn’t compatible with SonarQube 8.9, which as I mentioned, I’m stuck on for now.

I’ve turned on debug logging on the SonarQube server and the logs seem to think everything went fine. There are no maven errors or relevant-looking warnings either (though I’ll try with -X and see. It’s a multi-hour build, so that log file might take me a bit to comb through…). None of the code shows up in the Code view when I look at the branch on the SQ server, though; it’s almost as if when I scan as part of a PR, sonarqube just isn’t finding source code (or whatever it’s doing to see the changes in the PR is turning up empty).

Is it possible that having our source root different than our repository root is causing the issue? and if so, is there a way to specify the source root (sonar.projectBase dir already gets set to components/… I didn’t see any others that looked promising on Analysis parameters, but maybe I missed it?

I’ll make your suggested changes and report back.

Thanks,

D

You can try using your test/staging license to upgrade to 9.9. That should prove easier for you to upgrade.

You should upgrade to 3.9.1, which is the latest one. It is backward-compatible with older versions of SonarQube. The version of a scanner operates (mostly) independently of the SonarQube version.

You might want to reduce the scope of folders/files to scan, which will speed up your build since you only care about the PR decoration working, not about finding every issue. You can use sonar.inclusions or sonar.exclusions (see Narrowing the focus with analysis scope).

That is possible, so I will need to look at your DEBUG logs. When you are ready to share, let me know here and I can ping you privately.

Hi Joe,

I tried everything you suggested (except moving to 9.9… still waiting on approval to put that on our equipment), and it’s mostly working.

I upgraded to 3.9.1, switched to a command-line goal rather than a profile, and then tried narrowing the scope to speed things up by (temporarily) changing maven command to build just the specific module (buried deep in our large POM tree) that had my test code in it. When I did all 3 of these things, PR decoration worked.

I committed the POM changes, and some of the other PRs are now being decorated… so it was either something in my profile, or using the outdated maven plugin version that fixed it.

Some of the PRs with code changes are still showing no code when I look at that branch in SonarQube. I’m not sure what’s actually going on, but I’m starting to suspect that some of our modules are either not being built at all (i.e., they’re just dead code and I happened to pick a dead class to test in) or the mechanism that the maven sonar plugin uses to set sonar.sources isn’t working right for our (admittedly large, probably unnecessarily-complicated POM tree), and is skipping some modules.

I need to do some additional testing, but for now I think I have what I need to keep moving forward. Thank you so much for taking the time to assist.

My money is on the Sonar scanner maven plugin, but if you have time, please confirm if the POM changes helped or not.

You’re welcome! Glad to assist y’all!